If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Web Attack From My Websites

I was hoping someone can help me with more info. I have several subdomain websites on my hosting account. As of 2 months ago, when I go to one of my website domains, my Norton Anti-Virus instantly sends me a message telling me that it blocked a "Web Attack: Malicious Toolkit Website 9".. the attacking computer name is usually different, but the alert has been the same.

I was looking at my PHP websites (including wordpress sites) and noticed several PHP files were changed on the same date/time (on a day I never accessed my account). The changed file names on all of my PHP sites were the same (such as "index.php" and that file name could be multiple folders). When I reviewed the files, it appears that a new line of code was injected at the very end of the PHP file (such as after the "/html" tag). I added the code from one file down below.

I changed all my passwords and deleted the line of injected code from all the changed php files last week. About 2 days ago, the code has appeared again at the end of the same PHP files.

Does anyone know how this is happening? Is there anything I can do to prevent code from being injected? I looked at the FTP log for this month, and the only IP's that show up belong to me. I'm not sure how multiple sites on my account seem to have this code injected all at the same time, all in the same file names.

Any help would be appreciated since I am not an expert with this. My message is too long, so I will post the long line of code under this message.

When you say my code is the same.. do you mean my website code? I have several different website domains (with different php code; Wordpress site isn't the same as one of my other php sites). All of my php sites have been hit, which are all under 1 master hosting account.

If you mean the injected code is the same.. it does look similar. The code is too long to verify if it is the exact same or not, as you can above.

My first approach would be to change the permissions on the file to the minimum. If you have enough credentials audit daemon would be one option http://www.cyberciti.biz/tips/linux-...to-a-file.html. At least this would help you identify which user changes the file. If it's from your application you'll see it.

To verify if the files are the same a simple find and replace in your editor would suffice.

I added the code above to my htaccess, and I spent the last 2 days deleting all of the injected code (see above) in the php files on my 4 domains. I looked at my php files tonight, and the injected code is back in all of the same php files (on all 4 domains).

Are there any other site affected in that server? I mean how many site you have there? Are all of them affected. Try to put a site there just a simple 1 with just index.php and nothing else. See if that get's affected as well.

Next you'll see the timestamp the files were modified. Compare it with the access logs and see if it actually came from a web request.

Next did you follow my suggestion about checking the file permissions and setting it to the minimum?

Next are there any cron jobs running? Check if any of them is doing this. (If you have enough credentials)

Next are you hosted by those fly by night companies? "Sometimes" it's the cost of the more expensive well established ones will just pay for itself.